APT changed the rules

By Martyn Ruks,
12 December 2013

To respond to an incident that might involve a sophisticated or targeted attacker you would be well served approaching an accredited company.

IT related Incident Response and forensics services have been around for many years and had found a comfortable niche in terms of the skills and methodology needed to deliver them. However, whilst the Incident Response industry was settling down to a steady diet of credit card breaches, inappropriate use of company equipment and web defacements the really bad guys were busy. These weren’t the attackers who were interested in defacing your website or emptying the contents of your bank account, their interest was on a much bigger scale. They wanted to steal the designs for the brakes on your car, find out negotiating positions on M&A activity and use the combined knowledge from all of this to reshape the global economy. Alongside this the Incident Response community was busy training an army of Certified Encase Examiners and worrying about chains of custody and due process.

This was fine for the more traditional incidents listed above but was completely inappropriate for the new and far more dangerous threat that had been hovering below the radar for so many years. When discovering a machine compromised by a nation state attacker the “bag-and-tag” brigade were completely out of their depth. Why? Well, their “take the computer and analyse it for a couple of weeks before producing a report” approach didn’t fit with our dynamic and agile attacker. The lack of understanding about how systems and networks are compromised meant that evidence was either not understood or just plain missed. Malware that wasn’t detected by AV and required smart people with reverse engineering skills to investigate just sat on the virtual shelf gathering dust. Even containment of the incident was failing as after finding one system on the network unavailable the attacker just switched to another, often using completely different technology and malware.

The result was that the attackers just kept doing what they had been doing for so many years previously. No-one was disrupting their operations and worst of all the people affected were losing yet more money paying for incident response services whilst not removing the problem. But help and hope was at hand.

From this old world emerged a dynamic few who were equipped for this new age of Incident Response. These were the people who could work quickly, understand the methods of compromise, track attackers across the network and unlock the secrets hidden within the malware. Armed with IDA Pro rather than a plastic bag they were able to find the attacker, understand their capabilities and a handful of them could then even put in place the solutions needed to stop the attackers getting back in. Only one problem remained, how would the victims of such attacks find the people with these skills? How would they be able to validate that their skills were sharp and their approach was the right one.

Step forward both the UK Government, through CESG its Information Assurance arm and an industry body, CREST. By working with the brightest minds in the industry both organisations were able to put in place schemes to accredit the work of these companies and validate the competencies of the people doing the work. So if you find yourself in need of someone to help you respond to an incident that might involve a sophisticated or targeted attacker you would be well served approaching one of these accredited companies first. For more details of the people providing these services you can look here:

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.